Slashdot Mirror
Breaking Google's DRM
An anonymous reader writes "Google's new Google Print service (that lets you see scanned pages from printed books) has a pile of advanced browser-disabling DRM in it ('Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content.'). This works with JavaScript turned off, even in Free Software browsers. Seth Schoen has posted preliminary notes on some breaks to the DRM (beyond just automating a screenshotting process), including a proposal for a circumventing proxy that would fetch Google Print pages and strip out the DRM. A full exploration of the html obfuscation and DRM employed by Google would be very interesting; certainly the ability for a remote attacker to disable critical browser features like save, right-click, copy and cut against the user's wishes is a major security vulnerability in Moz/Firefox and should be fixed ASAP."
Google DRM
g url with cryptographic signature"); background-repeat:no-repeat; background-position:center left; background-color:white; }
.theimg background, to be saved to disk. For some reason, Save Page As.../Web Page (complete) still declined to download the background image at all, even in the absence of JavaScript, as if perhaps the CSS parser in the display logic in Firefox is smarter than the CSS parser in the Save Page As... code.
.mozilla/firefox/default.*/Cache/[0-9A-F]*). I'm still puzzled about why Page Info and the DOM Inspector won't actually reveal the image referenced in the .theimg style or allow it to be saved.
( [^ "]+\)")
.theimg, and then to load it directly. Perhaps that will change in the future.
To further protect your book content, printing and image copying functions are disabled on all Google Print content pages.
Similarly:
We've put a number of measures in place to prevent the downloading, copying, or printing of your content [...] Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content.
I'm surprised at how much effort Google went to here. I would have expected my browser not to be vulnerable to having any of its "functionality disabled", yet, with a recent Firefox, I found that I couldn't
1. print the page to a PostScript file,
2. right-click on the page at all,
3. save the page to disk (the image would somehow not be downloaded at all),
4. view the precious image in Page Info/Media (although I could see which image it was),
5. save the precious image in Page Info/Media,
6. find the precious image in the DOM Inspector (which seemed like the really heavy artillery), although the DOM Inspector did let me see its URL as part of an uninterpreted style definition, and seem to reveal the trick: defining a style called ".theimg", with the definition
{ background-image:url("http://print.google.com/lon
and then invoking that style inside a tag:
So I tried turning off JavaScript, and I found that I was essentially no better off: right-clicking caused a copy of cleardot.gif, not the
The two ways I've found so far that work to capture images from Google Print are a screen capture (I used xwd, which of course worked perfectly) and looking in the on-disk cache (ls -lrt
If you wanted to write a proxy that would make Google Print pages capable of being saved to disk, you would presumably want to match
background-image:url("http://print.google.com/\
(although you'd need to be careful to match only the one in the definition of ".theimg", because it looks like there may at least one other background-image:url) and then replace
I haven't tried this because it felt like too much work relative to the previous two methods.
Contrary to what I expected, Google Print does not seem to check referer, so it seems to be possible merely to extract the URL from the definition of
Google must have hired some experts on html image protection or html obfuscation. To be sure, there are lots of other tricks in Google Print that I had never seen before. It is hard to think that the author of that HTML obfuscation was not the subject of Richard Stallman's accidental haiku. It is amusing to think that Mr. Bad's "other" DeCSS might at last be used for some kind of circumvention (although I doubt it, because presumably Google Print simply won't work at all with the CSS removed).
Seacrh for "economic development".
gerv, a mozilla developer, has a few blog entries that talk about how the print service tries to stop you from getting to the jpeg's, and how to bypass that.
Google Print, And Clue Barriers
Google Print Hacking Ideas
nostrils
First, turn off javascript. then turn on image dimensions. right click on the dimensions for the main image, and click view background image.
http://print.google.com/print?id=ULQSG0Zs7vcC&pg=3 &img=1&q=mastering+digital+photography&sig=gv2nFpt Ef0dj7Gzb8eZ4U8UdtUo
is the URL that is used, and surprisingly it is linkable from outside, it doesn't appear to check IP's, browsers, or anything else. (deep link away!)
I'd like to see something like this, for instance, in Firefox's security settings near the Javascript permission settings:
Block sites from:
[X] Disabling right-click context menus
In Firefox:
* "Edit" -> "Preferences"
* Select "Web Features"
* Click the "Advanced" button next to "Enable JavaScript"
* Uncheck "Disable or replace context menus"
(This was bug 86193, checked into the code in March. It's in 1.0PR)
As for single-window mode, there are plenty of extensions. Try the one called "Tabbrowser Extensions", for instance.